Ask a Question

Cross Site Scripting & Forgery Issue (XSS/CSRF) in NMC-Based Products

Note: This issue is resolved as of AOS 3.7.3 and higher for NMC1 (AP9617/18/19) and AOS v5.1.1 for NMC2 based (AP9630/31/35) devices. Please visit our Software/Firmware download pageto obtain a firmware download for your product(s).

Mr. Russ McRee of HolisticInfoSec.org notifiedAPCof a low risk security vulnerability that affectsAPCNetwork Management Card (NMC) based devices. Following is a description of this issue and actions underway byAPCto mitigate and correct the issue. This report is a result of an engineered effort by a security analyst to determine vulnerabilities withAPCproducts and a single field report of the same.

Issue as reported:

As reported, theNMCis vulnerable to Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks. As such,authentication credentials for theNMCdevice can be created and transmitted to aNMCdevice by an unauthorized 3rd party, or a malicious internal user, in the context of an authenticated user's browser session,:

(1) Is allowed to execute a malicious script onto a computer by deceiving (social engineering) an operator of such a computer;

(2) Which is not located on a private network, or network secured in any way (e.g. behind a firewall);

(3) By an authorized user of that computer to operate programs on it such as Internet Explorer, or Firefox;

(4) Who has the proper credentials for installing and executing such programs on the computer itself;

(5) Who has proper credentials to access theNMCdevice as an "administrator" or "device" user;

(6) Who then executes and injects, or, executes or injects such a malicious script;

(7) While a session of theNMCis open and active.

If all of these steps are followed, and the targetNMCis on an open network (i.e. not secured on a private network, or behind any type of firewall), a 3rd party user or malicious internal user will then have the ability to contact the targetNMCdevice, forge credentials to the device and access the device as an authorized user.

Affected Versions:

During the investigation of the reported matter, the reported and actual issue was found to be identical. While the reported issue was specific to the Rack Mount Power Distribution device, this issue exists across the family ofNMCbased products.

Mitigation Strategy:

Although very narrow in scope, the following mitigation strategies can be employed to reduce or eliminate the potential for this issue to manifest.

• As XSS vulnerabilities base themselves in web applications, disabling the web interface on theNMCwill eliminate the possibility of such vulnerability from occurring. Other interface methods such as Telnet,CLI, SNMP, and serial connections are unaffected by this issue. Note the web interface can be disabled via the config.ini or via any other interface on theNMCitself.

• Placement ofNMCdevices on a private or secure network (e.g. behind a firewall) will eliminate the vulnerability of theNMCdevices as the unauthorized 3rd party user will not have access through a firewall to reach the targetNMCdevice.

• For those who choose to accept the risk of not disabling the web interface, as this vulnerability requires access to the network the devices are connected to, good physical and network security to restrict access to the network itself will significantly limit any opportunity to attempt this narrow vulnerability. Additionally, use of industry standard security practices such as administrator access to computers and operations of security scanners, firewalls and other accepted, commercially available solutions for computer security will further mitigate the issue.

APCActions:

AsAPCis concerned about any potential vulnerability no matter how narrow, we are undertaking the following steps to contain and correct this issue.

•APChas made a complete report of this finding to Mr. McRee who was responsible for finding the vulnerability.

• An update (AOS v3.7.3, AOS 5.1.1 or higher) is available for each relevant product and application,available to the general public via our web site (www.apc.com).